A global law enforcement operation this week took down and dismantled the notorious Qakbot botnet, touted as the largest U.S.-led financial and technical disruption of a botnet infrastructure.

Qakbot is a banking trojan that became infamous for providing an initial foothold on a victim’s network for other hackers to buy access and deliver their own malware, such as ransomware. U.S. officials said Qakbot has helped to facilitate more than 40 ransomware attacks over the past 18 months alone, generating $58 million in ransom payments.

The law enforcement operation, named “Operation Duck Hunt,” saw the FBI and its international partners seize Qakbot’s infrastructure located in the United States and across Europe. The U.S. Department of Justice, which ran the operation alongside the FBI, also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will soon be made available to victims.

In Tuesday’s announcement, the FBI said it carried out an operation that redirected the botnet’s network traffic to servers under the U.S.

government’s control, allowing the feds to take control of the botnet. With this access, the FBI used the botnet to instruct Qakbot-infected machines around the world into downloading an FBI-built uninstaller that untethered the victim’s computer from the botnet, preventing further installation of malware through Qakbot.

The FBI said its operation had identified approximately 700,000 devices infected with Qakbot as of June — including more than 200,000 located in the United States. During a call with reporters, a senior FBI official said that the total number of Qakbot victims is likely in the “millions.”

Here’s how Operation Duck Hunt went down.

How did the operation work?

According to the application for the operation’s seizure warrant, the FBI identified and gained access to the servers running the Qakbot botnet infrastructure hosted by an unnamed web hosting company, including systems used by the Qakbot administrators. The FBI also asked the court to require the web host to secretly produce a copy of the servers to prevent the host from notifying its customers, the Qakbot administrators.

Some of the systems the FBI got access to include the Qakbot’s stack of virtual machines for testing their malware samples against popular antivirus engines, and Qakbot’s servers for running phishing campaigns named after former U.S. presidents, knowing well that political-themed emails are likely to get opened. The FBI said it was also able to identify Qakbot wallets that contained crypto stolen by Qakbot’s administrators.

“Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet,” the application reads, describing its plan for the botnet takedown. “Based on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with those infected computers.”

Qakbot uses a network of tiered systems — described as Tier 1, Tier 2 and Tier 3 — to control the malware installed on infected computers around the world, according to the FBI and findings by U.S. cybersecurity agency CISA.

The FBI said that Tier 1 systems are ordinary home or business computers — many of which were located in the United States — infected with Qakbot that also have an additional “supernode” module, which makes them part of the botnet’s international control infrastructure. Tier 1 computers communicate with Tier 2 systems, which serve as a proxy for network traffic to conceal the main Tier 3 command and control server, which the administrators use to issue encrypted commands to its hundreds of thousands of infected machines.

With access to these systems and with knowledge of Qakbot’s encryption keys, the FBI said it could decode and understand Qakbot’s encrypted commands. Using those encryption keys, the FBI was able to instruct those Tier 1 “supernode” computers into swapping and replacing the supernode module with a new module developed by the FBI, which had new encryption keys that would lock out the Qakbot administrators from their own infrastructure.

Swap, replace, uninstall

According to an analysis of the takedown efforts from cybersecurity company Secureworks, the delivery of the FBI module began on August 25 at 7:27 p.m. in Washington, DC.

The FBI then sent commands instructing those Tier 1 computers to communicate instead with a server that the FBI controlled, rather than Qakbot’s Tier 2 servers. From there, the next time that a Qakbot-infected computer checked in with its servers — every one to four minutes or so — it would find itself seamlessly communicating with an FBI server instead.

After Qakbot-infected computers were funneled to the FBI’s server, the server instructed the computer to download an uninstaller that removes the Qakbot malware altogether. (The uninstaller file was uploaded to VirusTotal, an online malware and virus scanner run by Google.) This doesn’t delete or remediate any malware that Qakbot delivered, but would block and prevent another initial Qakbot infection.

The FBI said that its server “will be a dead end,” and that it “will not capture content from the infected computers,” except for the computer’s IP address and associated routing information so that the FBI can contact Qakbot victims.

“The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm,” prosecutors said Tuesday.

This is the most recent operational takedown the FBI has carried out in recent years.

In 2021, the feds carried out the first-of-its-kind operation to remove backdoors planted by Chinese hackers on hacked Microsoft Exchange email servers. A year later, the FBI disrupted a massive botnet used by Russian spies to launch powerful and disruptive cyberattacks designed to knock networks offline, and, earlier this year, knocked another Russian botnet offline that had been operating since at least 2004.

Source

X, the social network that you can access at twitter.com, is planning to collect users' biometric information, employment history, and educational history, according to an updated privacy policy. "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes," the new policy says.

X posted the new version of its privacy policy yesterday, saying it will go into effect on September 29. The current privacy policy that doesn't include collecting biometric data and employment history will remain in effect until September 29.

The new policy says that X "may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on) to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising."

The biometric data and employment history disclosures are listed in the section, "information you provide us." The policy does not say what kind of biometric data X would collect. We contacted X about the changes and will update this article if we get a response.

X to offer video and audio calls

The privacy policy changes are being made as X plans to offer video and audio calls. "Video & audio calls coming to X," owner Elon Musk wrote today. The call feature will work on iOS, Android, Mac, and PCs and will not require a phone number, according to Musk.

"X is the effective global address book" for the forthcoming video and audio call service, Musk wrote. Musk has previously described plans to turn X into an "everything app."

The changes could face scrutiny from the Federal Trade Commission. Before Musk bought Twitter, the company agreed to settlements in 2011 and 2022 with the FTC over privacy violations. For example, the 2022 settlement requires assessments of risks to privacy, security, and confidentiality before Twitter launches new or modified products and services.

Several of Twitter's top privacy and security executives resigned in November 2022, reportedly over concerns that Musk's rapid rollout of new features without full security reviews would violate the FTC consent decree. Musk's massive layoffs also fueled a new FTC investigation into whether the company has enough resources to protect users' privacy.

Musk tries to terminate privacy settlement

In mid-July, Musk's X Corp. asked a federal judge to terminate or modify the 2022 settlement with the FTC and to prevent the FTC from deposing Musk. The motion claimed the FTC's ongoing investigation into X "has spiraled out of control and become tainted by bias." A hearing on the motion is scheduled for November 16.

Separately, a pending lawsuit filed by a Twitter user in July alleges that X collects biometric data without properly notifying users in violation of the Illinois Biometric Information Privacy Act. The class-action complaint was filed in Cook County Circuit Court.

The lawsuit says that since 2015, Twitter has used software to restrict not-safe-for-work images. The analysis software "makes use of the biometric identifiers and biometric information of any individual included in each photo," but the company has not adequately informed users "that it collects and/or stores their biometric identifiers in every photograph containing a face that is uploaded to Twitter," the complaint said.

Source

Victims face a range of serious violations and abuses, including threats to their safety and security; and many have been subjected to torture and cruel, inhuman and degrading treatment or punishment, arbitrary detention, sexual violence, forced labour, and other human rights abuses, the report says.

“People who are coerced into working in these scamming operations endure inhumane treatment while being forced to carry out crimes. They are victims. They are not criminals,” said UN High Commissioner for Human Rights Volker Türk.

“In continuing to call for justice for those who have been defrauded through online criminality, we must not forget that this complex phenomenon has two sets of victims.”

The enormity of online scam trafficking in Southeast Asia is difficult to estimate, the reports says, because of the clandestine nature and gaps in the official response. Credible sources indicate that at least 120,000 people across Myanmar may be held in situations where they are forced to carry out online scams, with estimates in Cambodia similarly at around 100,000. Other States in the region, including Lao PDR, the Philippines and Thailand, have also been identified as main countries of destination or transit where at least tens of thousands of people have been involved.

The scam centres generate revenue amounting to billions of US dollars each year.

The COVID-19 pandemic and associated response measures had a drastic impact on illicit activities across the region. Public health measures closed casinos in many countries and in response, casino operators moved operations to less regulated spaces including conflict-affected border areas and Special Economic Zones, as well as to the increasingly lucrative online space, the report says.

Faced with new operational realities, criminal actors increasingly targeted migrants in vulnerable situations – who were stranded in these countries and out of work due to border and business closures – for recruitment into criminal operations, under the pretence of offering them real jobs. As COVID-related shutdowns saw millions of people restricted to their homes, spending more time online, there were more ready targets for online fraud schemes and more people susceptible to fraudulent recruitment.

Most people trafficked into the online scam operations are men, although women and adolescents are also among the victims, the report says. Most are not citizens of the countries in which the trafficking occurs. Many of the victims are well-educated, sometimes coming from professional jobs or with graduate or even post-graduate degrees, computer-literate and multi-lingual. Victims come from across the ASEAN region (from Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam), as well as mainland China, Hong Kong and Taiwan, South Asia, and even further afield from Africa and Latin America.

While some countries in Southeast Asia have put in place legal and policy frameworks relevant to counter trafficking, in some cases they fall short of international standards. In many cases their implementation has failed to respond adequately to the context and sophistication of these online scams, the report says.

Victims of trafficking and other human rights abuse are erroneously identified as criminals or as immigration offenders and, rather than being protected and given access to the rehabilitation and remedy they need, they are subjected to criminal prosecution or immigration penalties, it says.

“All affected States need to summon the political will to strengthen human rights and improve governance and the rule of law, including through serious and sustained efforts to tackle corruption. This must be as much a part of the response to these scams as a robust criminal justice response,” said Türk.

“Only such a holistic approach can break the cycle of impunity and ensure protection and justice for the people who have been so horrifically abused.”

To read the report, click here.

Source

MMRat was spotted for the first time by Trend Micro in late June 2023, primarily targeting users in Southeast Asia and remaining undetected on antivirus scanning services like VirusTotal.

While the researchers do not know how the malware is initially promoted to victims, they found that MMRat is distributed via websites disguised as official app stores.

The victims download and install the malicious apps that carry MMRat, usually mimicking an official government or a dating app, and grant risky permissions like access to Android's Accessibility service during installation.

The malware automatically abuses the Accessibility feature to grant itself additional permissions that will allow it to perform an extensive range of malicious actions on the infected device.

MMRat capabilities

Once MMRat infects an Android device, it establishes a communication channel with the C2 server and monitors device activity to discover periods of idleness.

During that time, the threat actor abuses the Accessibility Service to wake up the device remotely, unlock the screen, and perform bank fraud in real-time.

MMRat's main functions can be summed up in the following:

• Collect network, screen, and battery information
• Exfiltrate the user's contact list and list of installed apps
• Capture user input via keylogging
• Capture real-time screen content from the device by abusing the MediaProjection API
• Record and live-stream camera data
• Record and dump screen data in text form dumps that are exfiltrated to the C2
• Uninstall itself from the device to wipe all evidence of infection

MMRat's ability to capture real-time screen content, and even its more rudimentary 'user terminal state' method that extracts text data requiring reconstruction, both demand efficient data transmission.

Without such efficiency, the performance would hinder threat actors from executing bank fraud effectively, which is why MMRat's authors have opted to develop a custom Protobuf protocol for data exfiltration.

Protobuf advantage

MMRat uses a unique command and control (C2) server protocol based on protocol buffers (Protobuf) for efficient data transfer, which is uncommon among Android trojans.

Protobuf is a method for serializing structured data that Google developed, similar to XML and JSON, but smaller and faster.

MMRat uses different ports and protocols for exchanging data with the C2, like HTTP at port 8080 for data exfiltration, RTSP and port 8554 for video streaming, and custom Protobuf at 8887 for command and control.

"The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures," reads the Trend Micro report.

"For C&C communication, the threat actor uses an overarching structure to represent all message types and the "oneof" keyword to represent different data types."

Apart from the efficiency of Protobuf, custom protocols also help threat actors evade detection by network security tools that look for common patterns of known anomalies.

Protobuf's flexibility allows MMRat's authors to define their message structures and organize how data is transmitted. At the same time, its structured nature ensures that sent data adhere to a predefined schema and are less likely to be corrupted at the recipient's end.

In conclusion, MMRat shows the evolving sophistication of Android banking trojans, adeptly blending stealth with efficient data extraction.

Android users should only download apps from Google Play, check user reviews, only trust reputable publishers, and be cautious at the installation stage where they are requested to grant access permissions.

Source

During this past weekend’s law enforcement operation, Operation Duck Hunt, the FBI redirected the botnet’s network communications to servers under its control, allowing agents to identify approximately 700,000 infected devices (200,000 located in the U.S.).

After they took control of the botnet, the FBI devised a method to uninstall the malware from the victims’ computers, effectively dismantling the botnet’s infrastructure, from the victims’ PCs to the malware operators’ own computers.

What is Qakbot?

Before we learn how the FBI uninstalled Qakbot from computers, it is essential to understand how the malware was distributed, what malicious behavior it performed, and who utilized it.

Qakbot, aka Qbot and Pinkslipbot, started as a banking trojan in 2008, used to steal banking credentials, website cookies, and credit cards to conduct financial fraud.

However, over time, the malware evolved into a malware delivery service utilized by other threat actors to gain initial access to networks for conducting ransomware attacks, data theft, and other malicious cyber activities.

Qakbot is distributed through phishing campaigns that utilize a variety of lures, including reply-chain email attacks, which is when threat actors use a stolen email thread and then reply to it with their own message and an attached malicious document.

These emails typically include malicious documents as attachments or links to download malicious files that install the Qakbot malware on a user’s device.

These documents change between phishing campaigns and range from Word or Excel documents with malicious macros, OneNote files with embedded files, to ISO attachments with executables and Windows shortcuts. Some of them are also designed to exploit zero-day vulnerabilities in Windows.

Regardless of how the malware is distributed, once Qakbot is installed on a computer, it will be injected into the memory of a legitimate Windows processes, such as wermgr.exe or AtBroker.exe, to attempt to evade detection by security software.

For example, the image below depicts the Qbot malware injected into the memory of the legitimate wermgr.exe process.

Once the malware is launched on a device, it will scan for information to steal, including a victim's emails, for use in future phishing email campaigns.

However, the Qakbot operators also partnered with other threat actors to facilitate cybercrime, such as providing ransomware gangs with initial access to corporate networks.

In the past, Qakbot has partnered with multiple ransomware operations, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta and BlackCat/ALPHV.

The FBI says that between October 2021 and April 2023, the Qakbot operators earned approximately $58 million from ransomware payments.

How the FBI uninstalled Qakbot

As part of today's announcement, the FBI states that they were able to dismantle the botnet by seizing the attacker's server infrastructure and creating a special removal tool that uninstalled the Qakbot malware from infected devices.

According to an application for seizure warrant released by the Department of Justice, the FBI was able to gain access to the Qakbot admin computers, which helped law enforcement map out the server infrastructure used in the botnet's operation.

Based on their investigation, the FBI determined that the Qakbot botnet utilized Tier-1, Tier-2, and Tier-3 command and control servers, which are used to issue commands to execute, install malware updates, and download additional partner payloads to devices.

Tier-1 servers are infected devices with a "supernode" module installed that act as part of the command and control infrastructure of the botnet, with some of the victims located in the USA. Tier-2 servers are also command and control servers, but the Qakbot operators operate them, usually from rented servers outside the USA.

The FBI says that both the Tier-1 and Tier-2 servers are used to relay encrypted communication with the Tier-3 servers.

These Tier-3 servers act as the central command and control servers for issuing new commands to execute, new malicious software modules to download, and malware to install from the botnet's partners, such as ransomware gangs.

Every 1 to 4 minutes, the Qakbot malware on infected devices would communicate with a built-in list of Tier-1 servers to establish encrypted communication with a Tier-3 server and receive commands to execute or new payloads to install

However, after the FBI infiltrated the Qakbot's infrastructure and administrator's devices, they accessed the encryption keys used to communicate with these servers.

Using these keys, the FBI used an infected device under their control to contact each Tier-1 server and have it replace the already installed Qakbot "supernode" module with one created by law enforcement.

This new FBI-controlled supernode module used different encryption keys not known to the Qakbot operators, effectively locking them out of their own command and control infrastructure as they no longer had any way to communicate with the Tier-1 servers.

The FBI then created a custom Windows DLL (or Qakbot module) [VirusTotal] that acted as a removal tool and was pushed to infected devices from the now-hijacked Tier-1 servers.

Based on an analysis of the FBI module by SecureWorks, this custom DLL file issued the QPCMD_BOT_SHUTDOWN command to the Qakbot malware running on infected devices, which causes the malware process to stop running.

SecureWorks says they first saw this custom module pushed down to infected devices on August 25th at 7:27 PM ET.

"At 00:27 BST on August 25, CTU researchers detected the Qakbot botnet distributing shellcode to infected devices," explains SecureWorks.

"The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the running Qakbot process on the host."

The FBI says that this Qakbot removal tool was authorized by a judge with a very limited scope of only removing the malware from infected devices. Furthermore, as the malware only operates from memory, the removal tool did not read or write anything to the hard drive.

At this time, the FBI is unsure of the total number of devices that have been cleaned in this manner, but as the process started over the weekend, they expect that further devices will be cleaned as they connect back to the hijacked Qakbot infrastructure.

The FBI also shared a database containing credentials stolen by the Qakbot malware with Have I Been Pwned and the Dutch National Police.

As no notifications will be displayed on infected devices when the malware is removed, you can use these services to see if your credentials were stolen, indicating that you may have at one point been infected with the Qakbot malware.

This is not the first time the FBI used a court-approved seizure warrant to remove malware from infected devices.

The FBI previously received court approval to remove the Russian Snake data theft malware and the Emotet malware from infected devices, as well as web shells on Microsoft Exchange servers deployed in ProxyLogon attacks.

While this is definitely a win for law enforcement, it may not be the end of the Qakbot operation as no arrests were made.

Therefore, we will likely see the Qakbot operators begin to rebuild their infrastructure over the next few months through phishing campaigns or by purchasing installations through other botnets.

Source

“The public should be rightly concerned,” Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia told The Epoch Times. “Congress has completely abdicated their responsibility to protect people's privacy.”

The Biden administration’s 2022 $2.2 trillion infrastructure legislation has led to a dramatic rise in new traffic cameras after federal guidance issued after the bill became law allowed many states to invest in surveillance equipment. Previously, transportation funds allocated to states were limited to fund infrastructure projects, such as repairing roadways and bridges, with the spending of federal funds for cameras only permitted for school zones. However, the Biden administration authorized states to utilize up to 10 percent of the bill's $15.6 billion highway safety funds to purchase cameras and other “automated traffic enforcement” tools—and many did just that.

The most recent data compiled last year by Comparitech, a consumer advocacy group focused on cybersecurity, found that the number of cameras on American streets has exploded, with the average city having around six cameras per 1,000 people while the most-watched city, Atlanta, Georgia, has nearly 50 cameras per 1,000 people. Data revealing the current number of traffic cameras is unavailable, but is expected to be significantly larger.

The decision to open the infrastructure funding to traffic cameras came as an attempt to decrease traffic-related deaths, according to officials.

“Almost 95 percent of our Nation’s transportation deaths occur on America’s streets, roads, and highways, and they are on the rise,” U.S. Transportation Secretary Pete Buttigieg said in the National Roadway Safety Strategy release following passage of the legislation.

However, many see the increase in surveillance technology as a cash grab for cities trying to make up for post COVID budget shortfalls. In March, Washington Mayor Muriel Bowser proposed adding hundreds of new traffic cameras to city streets to compensate for a projected drop in revenue of nearly $400 million. Priya Sarathy Jones, deputy executive director of the Fines and Fees Justice Center, told Reuters that cameras monitoring traffic are “one of the easiest things for us to turn to and generate revenue quickly.”

Further, software upgrades that allow for the ability to analyze the inside of vehicles and the behaviors of the drivers and passengers have raised concerns among privacy advocates of an increasingly intrusive government that would have seemed straight out of a dystopian science fiction novel to past generations.

In the United Kingdom, authorities have already issued hundreds of fines to drivers after AI traffic cameras were used to detect violations such as not wearing a seatbelt.

United Kingdom Civil Liberties campaigner Jake Hurfurt, of Big Brother Watch, told the newspaper The Sun, "This kind of intrusive and creepy surveillance which treats every passer-by as a potential suspect is excessive and normalizing. It poses a threat to everyone’s privacy."

“People should be free to go about their lives without being analyzed by faceless AI systems."

In July, local governments in Australia installed new phone-detection cameras along roads to spot drivers who are texting on their mobile devices.

In America, cities like Seattle, Tacoma, and San Francisco, and Reno have also adopted AI traffic cameras with the stated goal of improving the flow of traffic. Los Angeles and New York have also discussed utilizing the technology.

While the Fourth Amendment to the U.S. Constitution offers protection against video searches conducted by the police, there are currently no general, legally enforceable rules to limit privacy invasions.

Mr. Guariglia warns that the ethical lines between the need for public safety and an Orwelian police state can sometimes become blurred with advances in technology.

“I can definitely see it coming where cameras are doing analytics on passengers inside of a car,” said Mr. Guariglia. “This could make citizens susceptible to police surveillance in giving up the knowledge of where they worship, what lawyer they are going to see, or which reporters they are talking to.”

In at least one other country, residents have already begun fighting back against the technology.

After London rolled out an expansion of its Ultra Low Emission Zone program, which uses AI traffic cameras to identify and fine drivers of older vehicles who enter the city, many citizens showed their outrage through acts of vandalism. Police say this month hundreds of intelligent cameras have been damaged, disconnected, or stolen by a vigilante group who call themselves the Blade Runners.

"The cameras are going to keep coming down," Nick Arlett, an organizer of the protests, told CBS News. "People are angry."

Source

Loopsie - a mobile application capable of creating animated images from user-entered photo data is currently causing a "fever" in the community.

The application reached the number one free download on the App Store in Việt Nam after only a short time.

Vũ Ngọc Sơn, Technical Director of Việt Nam National Cyber Security Technology Corporation told Tin tức (News) online newspaper that photos taken with mobile phones would often provide information about the time, the type of device being used and especially the location where the photo was taken.

From that information, it was possible to summarise your habits, schedules or movements, so people should consider if they did not want their personal information to be leaked, he added.

He added that providing many photographs to an application would also cause risks as the photos could be used to create fake videos.

“If the photos got into the hands of bad people, they could use Deepfake technology to create content that impersonates for wrongful purposes and even scams,” he said.

He said people should be cautious when sharing their personal data, especially facial data as well as those of their loved ones.

"Nothing is free when you use an application in this world," Sơn said.

He also said on careful inspection, the anime photos are not exactly the same as the originals.

However, people still accept and it quickly become a trend because they consider the photos were just for fun, he said.

According to information technology experts, since its inception in 2018, the Loopsie application is little known, but recently, after the developer updated the feature to use AI specialising in image reproduction, the application has quickly created a trend. It only takes about 15-20 seconds for the application to complete an animated photo from the original content.

Việt Khôi, an information technology expert said the trend of photo editing is not new, it is essentially a form of collecting user personal data.

The application of AI technology will create photo editing software with great attraction, he said.

The processing will require the users to upload captured images to the service provider's server, thereby posing the risks of data disclosure, data leakage or use for other purposes, he said.

He recommends that users should not put sensitive or very-private photos into the application to avoid the risks, he said.

Recently, there are many warnings of online scams, which use collected personal data to build trust with victims, he said.

In addition to data such as phone number, citizen identification numbers, residence address, email, and full name, users also need to pay attention to image data, he said.

“Otherwise, one day you will receive Deepfake calls related to financial matters," he said. — VNS

Source

University of Michigan (U-M) is one of the oldest and largest educational institutes in the United States, employing over 30,000 academic and administrative staff and having roughly 51,000 students.

In a series of announcements published on the University's website, starting on Sunday, a cybersecurity incident caused IT outages and disrupted access to vital online services, including Google, Canvas, Wolverine Access, and email.

Although U-M engaged its IT team to restore the impacted systems, the administration felt it was safest to disconnect the U-M network from the internet due to the severity of the incident.

"Sunday afternoon, after careful evaluation of a significant security concern, we made the intentional decision to sever our ties to the internet," reads the status update from Sunday.

"We took this action to provide our information technology teams the space required to address the issue in the safest possible manner."

This includes wired and WiFi campus internet, M-Pathways, eResearch, DART, and all systems used in student registration.

Zoom, Adobe Cloud, Dropbox, Slack, Google, Canvas, and Adobe Cloud services have been restored and can be accessed from outside networks, although their availability is unstable due to overload.

However, the timing of the incident should not be ignored, as the attack occurred on the eve of a new academic year as students and faculty were preparing to start classes.

Due to this, the U-M administration has decided to waive late registration or disenrollment fees for August.

Students rely on the currently offline systems to access class information and to navigate the large campus, especially during the initial days of classes. Due to the lack of access, students will be given special consideration to students for attendance and assignments.

The announcement also warns that some financial aid payments and refunds will be delayed due to the IT outage.

To view up-to-date information about class schedules and locations, students are urged to consult this webpage.

U-M notes that it is working with external cybersecurity experts and federal law enforcement to investigate the attack.

BleepingComputer has contacted U-M to request more information about the nature of the security incident that has impacted the University, but we have not heard back by publication time.

This has been a rough month for educational institutes in Michigan. 

Three weeks ago, Michigan State University disclosed that it had been impacted by the MOVEit data theft attacks.

If you have any information on this attack or other attacks, you can contact us confidentially via Signal at 646-961-3731.

Source

The new flaw, as reported by 404Media.co, was first discovered by an independent security researcher who goes by the handle "Yossi". The article describes how this issue worked:

To start, Yossi sent me a link via Skype text chat to google.com. The link was to the real Google site, and not an imposter. I then opened Skype on an iPad and viewed the chat message. I didn’t even click the link. But very soon after, Yossi pasted my IP address into the chat. It was correct.

The article adds that this issue only affects Skype's mobile apps and does not appear to work on Skype on the desktop. Details about how this issue works on the hacker side were not revealed for security reasons, but the article claims the flaw is "trivially easy to exploit and involves changing a certain parameter related to the link."

Yossi sent over his info about the flaw to Microsoft. The company's initial response to Yossi was that the IP address exposure in Skype "does not meet the definition of a security vulnerability for servicing which would require immediate servicing."

However, when 404media.com asked Microsoft for comment, the company did state that while this issue with Skype was not an immediate security issue based just on the IP address exposure, "we will be addressing it in a future product update as a defense in depth improvement to help keep customers protected." As of this writing, Microsoft has yet to fix this problem.

Source

The three core parts of the Ads privacy are "Ad topics", "App-suggested ads" and "Ad measurement". Ad topics are automatically assigned to the user of the device based on application usage. These predefined categories, such as Sports or Shopping, may change based on usage on the device. Applications that want to display ads to the user may request information about the assigned topics to display matching advertisement. Google notes that the apps do not get other information about the user. Android users may block certain topics on their devices so that the ad topic is never assigned.

App-suggested ads works similarly, only that applications that a user uses may suggest ad topics. These may then be used by other applications on the device. Android users may block apps from suggesting ads and also reset the entire list of suggestions from ads.

Ad measurement, finally, provides apps and advertisers with information that helps them "measure the performance of their ads".

Android users may manage all three options on their devices, once the features are integrated on the devices. Chrome users may notice the resemblance to Chrome's implementation, as it includes similar features. If Android users enable the features on their devices and also in Chrome, information may be shared between the browser, the system and advertisers.

Android users may disable all Ad Privacy features on their device. While that does not mean that they will see fewer ads, it does block Google's incentive and may prevent it from getting even more control over advertising on the Internet.

Tip: check out the article on the Privacy Sandbox integration in Google Chrome for additional information on this.

How to Disable Ads Privacy features on Android

The options are found in the Settings, but the path to the settings may differ (slightly) based on the manufacturer of the device. The following is the path on Samsung devices:

1. Open the Settings on the device.
2. Select Security and Privacy.
3. Activate Privacy on the page that opens.
4. Select Other privacy settings on the next page.
5. Open Ads on the page that opens.
6. Select Ads privacy.
7. Tap on Ad topics and toggle the switch to Off to disable it, then go back to the previous page.
8. Tap on App-suggested ads and toggle the switch to Off to disable the feature, then go back to the previous page.
9. Tap on Ad measurement and flip the switch to Off to disable it, then go back to the previous page.

All three Ads privacy features should have the status Off now. Note that you may also turn the features on at any time, if you want to.

Now You: do you plan to keep the Ads privacy features enabled?

Source

Source

Web browsers like Chrome, Microsoft Edge, and Firefox may be forced to block websites at a software level if the French government has its way. 

In a blog post penned by Firefox's parent company Mozilla, the firm warned on the potential chilling effects the so-called SREN Bill currently travelling through the French regulatory system could have on web browsers, and the free internet at large too. 

Article 6 of the bill describes the French government's desire to force web browsers to bake in tools that would function as filters, acting as a mandatory content blocker for a government-backed list. It's not as if these sorts of laws haven't existed previously. Totalitarian-leaning states like Russia and China already have pervasive internet control tools, but even self-described democracies like Australia and the UK have some over-reaching laws revolving around government snooping and censorship on the web. I distinctly remember my UK ISP blocking Pirate Bay with a big red warning label at one point, although the ban seems to have been relatively short-lived (since it's once again available now). 

What's different here is the mechanism being sought after by the French government. By operating at a browser level, it would give the government a disturbing amount of power, while putting pressure on web browsers to fund systems that could be exploited by totalitarian states.

Mozilla elaborates that, while on the surface, it might not seem wildly different from tools like Microsoft Smart Screen which automatically blocks sites reported as being hotspots for phishing and malware attacks, the key differentiator is that Smart Screen and other similar tools can be bypassed easily by users if necessary. These mechanisms sought after by the French government would simply be a permanent block on any website or platform they see fit. 

Analysis: Dumb governments with dumb ideas

While these kinds of features may be well-intentioned (seriously giving the benefit of the doubt here), having these sorts of systems in place allows future potential governments to exploit them for political gain while remaining within "legal" definitions. Perhaps more crucially, they also never really work in practice. The idea that the French government could somehow prevent the free flow of information this way is asinine, and likely serve only to give browser firms a big headache. The open-source community would have forked versions without government controls prepped in minutes. And then, the potential for legitimate users getting caught out by actual malware would undoubtedly increase, if they had to seek open tools from perhaps less-than-legitimate sources.

The UK is also pushing similar bills through its parliament at the moment. The so-called "Online Safety Bill" would force companies like Microsoft to bake in government-mandated back doors into apps with end-to-end encryption. It would kill apps like WhatsApp, Telegram, and other services that rely on strong encryption methods to keep user data private.  Firms like WhatsApp and Signal have even threatened to exit the UK entirely over the bill. The government often says these bills are about preventing crime, but when governments have a monopoly on violence and incarceration, the definition of crime can shift very quickly. You need only look at the complete and total erosion of free speech in nations like Hong Kong and Russia, where, increasingly, criticism of the government can land you with lengthy prison terms (or worse). Both the UK and French governments have earned themselves a lot of criticism lately ...

Source

The utility is helpful in post-exploitation scenarios where an attacker needs to execute malicious code with higher permissions or to move laterally on a victim network as another user already logged into the infected device.

Access token duplication

Microsoft defines the Windows Filtering Platform (WFP) as “a set of API and system services that provide a platform for creating network filtering applications.”

Developers can use the WFP API to create code that can filter or modify network data before it reaches the destination, capabilities seen in network monitoring tools, intrusion detection systems, or firewalls.

Researchers at cybersecurity company Deep Instinct developed three new attacks to elevate privileges on a Windows machine without leaving too much evidence and without being detected by numerous security products.

The first method allows the use of WFP to duplicate access tokens, the pieces of code that identify users and their permissions in the security context of threads and processes.

When a thread executes a privileged task, security identifiers verify if the associated token has the required level of access.

Ron Ben Yizhak, security researcher at Deep Instinct, explains that calling the NtQueryInformationProcess function allows getting the handle table with all the tokens a process holds.

“The handles to those tokens can be duplicated for another process to escalate to SYSTEM,” Yizhak notes in a technical blog post.

The researcher explains that an important driver in Windows operating system called tcpip.sys has several functions that could be invoked by device IO requests to WPF ALE (Application Layer Enforcement) kernel-mode layers for stateful filtering.

The NoFilter tool abuses WPF in this way to duplicate a token and thus achieve privilege escalation.

By avoiding the call to DuplicateHandle, the researcher says, increases stealth and many endpoint detection and response solutions will likely miss the malicious action.

Getting SYSTEM and admin access token

A second technique involves triggering an IPSec connection and abusing the Print Spooler service to insert a SYSTEM token into the table.

Using the RpcOpenPrinter function retrieves -handle for a printer by name. By changing the name to “\\127.0.0.1,” the service connects to the local host.

Following the RPC call, multiple device IO requests to WfpAleQueryTokenById are necessary to retrieve a SYSTEM token.

Yizhak says that this method is stealthier than the first one because configuring an IPSec policy is an action typically done by legitimate privileged users like network administrators.

A third technique described in Yizhak’s post allows obtaining the token of another user logged into the compromised system for lateral movement purposes.

The researcher says that it is possible to launch a process with the permissions of a logged-in user if the access token can be added to the hash table.

He looked for Remote Procedural Call (RPC) servers running as the logged-in user and ran a script to find processes that run as the domain admin and expose an RPC interface.

To obtain the token and launch an arbitrary process with the permissions of a logged user, the researcher abused the OneSyncSvc service and SyncController.dll, which are new components in the world of offensive tools.

Detection advice

Hackers and penetration testers are likely to adopt the three techniques since reporting them to Microsoft Security Response Center resulted in the company saying that the behavior was as intended. This typically means that there won’t be a fix or mitigation.

However, despite being stealthier than other methods, Deep Instinct provides a few ways to detect the three attacks and recommends looking for the following events:

• Configuring new IPSec policies that don’t match the known network configuration.
• RPC calls to Spooler / OneSyncSvc while an IPSec policy is active.
• Brute force the LUID of a token via multiple calls to WfpAleQueryTokenById.
• Device IO request to the device WfpAle by processes other than the BFE service.

Yizhak presented the three new techniques at the DEF CON hacker conference earlier this month. Complete technical details are available in Deep Instinct’s post.

Source

Source

Cybersecurity company Group-IB discovered the vulnerability, which affects the processing of the ZIP file format by WinRAR, in June. The zero-day flaw — meaning the vendor had no time, or zero days, to fix it before it was exploited — allows hackers to hide malicious scripts in archive files masquerading as “.jpg” images or “.txt” files, for example, to compromise target machines.

Group-IB says hackers have been exploiting this vulnerability since April to spread malicious ZIP archives on specialist trading forums. Group-IB tells TechCrunch that malicious ZIP archives were posted on at least eight public forums, which “cover a wide range of trading, investment, and cryptocurrency-related subjects.” Group-IB declined to name the targeted forums.

In the case of one of the targeted forums, administrators became aware that malicious files were shared and subsequently issued a warning to their users. The forum also took steps to block the accounts used by the attackers, but Group-IB saw evidence that the hackers were “able to unlock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or private messages.”

Once a targeted forum user opens the malware-laced file, the hackers gain access to their victims’ brokerage accounts, enabling them to perform illicit financial transactions and withdraw funds, according to Group-IB. The cybersecurity firm tells TechCrunch that the devices of at least 130 traders are infected at the time of writing but notes that it has “no insight on financial losses at this stage.”

One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.

It’s not known who is behind the exploitation of the WinRAR zero-day. However, Group-IB said it observed the hackers using DarkMe, a VisualBasic trojan that has previously been linked to the “Evilnum” threat group.

Evilnum, also known as “TA4563”, is a financially motivated threat group that has been active in the U.K. and Europe since at least 2018. The group is known for targeting mainly financial organizations and online trading platforms. Group-IB said that while identifying the DarkMe trojan, it “cannot conclusively link the identified campaign to this financially motivated group.”

Group-IB says it reported the vulnerability, tracked as CVE-2023-38831, to WinRAR-maker Rarlab. An updated version of WinRAR (version 6.23) to patch the issue was released on August 2. 

Source

Intel says that 12th Gen and newer chips, like Alder Lake and Raptor Lake, come with Intel's Trust Domain eXtension or TDX which isolates virtual machines (VMs) from virtual machine managers (VMMs) or hypervisors, hence isolating them from the rest of the hardware and the system. These hardware-isolated virtual machines are essentially what "Trust Domains" are and hence the name.

On its support document KB5029778, Microsoft explains:

Microsoft is aware of a new transient execution attack named gather data sampling (GDS) or "Downfall." This vulnerability could be used to infer data from affected CPUs across security boundaries such as user-kernel, processes, virtual machines (VMs), and trusted execution environments.

Intel goes into more detail about Downfall or GDS on its website explaining how attackers can exploit stale data on Intel's 7th Gen (Kaby Lake), 8th Gen (Coffee Lake), 9th Gen (Coffee Lake refresh), 10th Gen (Comet Lake) and 11th Gen (Rocket Lake on desktop/Tiger Lake on mobile), which lack previously mentioned TDX. It writes:

Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers. These entries may correspond to registers previously used by the same thread, or by the sibling thread on the same processor core.

Intel has confirmed the issue is resolved by microcode update (MCU) or Intel Platform Update (IPU) version 20230808 as the mitigation is enabled by default. Hence, users with 7th Gen, up to 11th Gen Intel CPUs are advised to update their motherboard firmware. You can do so by visiting the support section of your motherboard manufacturer's website.

Though it notes that there may be some performance hit, in which case users can choose to "opt out". Head over to Intel's security advisory (INTEL-SA-00828) for more details.

Source

Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide.

In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500.

This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

While the real name and login name are publicly available as part of a user's Duolingo profile, the email addresses are more concerning as they allow this public data to be used in attacks.

When the data was for sale, DuoLingo confirmed to TheRecord that it was scraped from public profile information and that they were investigating whether further precautions should be taken.

However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information.

As first spotted by VX-Underground, the scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

"Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!," reads a post on the hacking forum.

This data was scraped using an exposed application programming interface (API) that has been shared openly since at least March 2023, with researchers tweeting and publicly documenting how to use the API.

The API allows anyone to submit a username and retrieve JSON output containing the user's public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.

BleepingComputer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

This API allowed the scraper to feed millions of email addresses, likely exposed in previous data breaches, into the API and confirm if they belonged to DuoLingo accounts. These email addresses were then used to create the dataset containing public and non-public information.

Another threat actor shared their own API scrape, pointing out that threat actors wishing to use the data in phishing attacks should pay attention to specific fields that indicate a DuoLingo user has more permission than a regular user and are thus more valuable targets.

BleepingComputer has contacted DuoLingo with questions on why the API is still publicly available but did not receive a reply at the time of this publication.

Scraped data regularly dismissed

Companies tend to dismiss scraped data as not an issue as most of the data is already public, even if it is not necessarily easy to compile.

However, when public data is mixed with private data, such as phone numbers and email addresses, it tends to make the exposed information more risky and potentially violate data protection laws.

For example, in 2021, Facebook suffered a massive leak after an "Add Friend" API bug was abused to link phone numbers to Facebook accounts for 533 million users. The Irish data protection commission (DPC) later fined Facebook €265 million ($275.5 million) for this leak of scraped data.

More recently, a Twitter API bug was used to scrape the public data and email addresses of millions of users, leading to an investigation by the DPC.

Source

Source

EVERY SOFTWARE SUPPLY chain attack, in which hackers corrupt a legitimate application to push out their malware to hundreds or potentially thousands of victims, represents a disturbing new outbreak of a cybersecurity scourge. But when that supply chain attack is pulled off by a mysterious group of hackers, abusing a Microsoft trusted software model to make their malware pose as legitimate, it represents a dangerous and potentially new adversary worth watching.

Today, researchers on the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that they'd detected a supply chain attack carried out by a hacker group that they've newly named CarderBee. According to Symantec, the hackers hijacked the software updates of a piece of Chinese-origin security software known as Cobra DocGuard, injecting their own malware to target about 100 computers across Asia, mostly in Hong Kong. Though some clues, like the exploitation of DocGuard and other malicious code they installed on victim machines, loosely link CarderBee with previous Chinese state-sponsored hacking operations, Symantec declined to identify CarderBee as any previously known group, suggesting it may be a new team.

Beyond the usual disturbing breach of trust in legitimate software that occurs in every software supply chain, Symantec says, the hackers also managed to get their malicious code—a backdoor known as Korplug or PlugX and commonly used by Chinese hackers—digitally signed by Microsoft. The signature, which Microsoft typically uses to designate trusted code, made the malware far harder to detect.

“Any time we see a software supply chain attack, it’s somewhat interesting. But in terms of sophistication, this is a cut above the rest,” says Dick O'Brien, a principal intelligence analyst on Symantec's research team. “This one has the hallmarks of an operator who knows what they’re doing.”

Cobra DocGuard, which is ironically marketed as security software for encrypting and protecting files based on a system of users' privileges inside an organization, has around 2,000 users, according to Symantec. So the fact that the hackers chose just 100 or so machines on which to install their malware—capable of everything from running commands to recording keystrokes—suggests that CarderBee may have combed thousands of potential victims to specifically target those users, O’Brien argues. Symantec declined to name the targeted victims or say whether they were largely government or private sector companies.

The Cobra DocGuard application is distributed by EsafeNet, a company owned by the security firm Nsfocus, which was founded in Mainland China in 2000 but now describes its headquarters as Milpitas, California. Symantec says it can't explain how CarderBee managed to corrupt the company's application, which in many software supply chain attacks involves hackers breaching a software distributor to corrupt their development process. Nsfocus didn't respond to WIRED's request for comment.

Symantec's discovery isn't actually the first time that Cobra DocGuard has been used to distribute malware. Cybersecurity firm ESET found that in September of last year a malicious update to the same application was used to breach a Hong Kong gambling company and plant a variant of the same Korplug code. ESET found that the gambling company also had been breached via the same method in 2021.

ESET pinned that earlier attack on the hacker group known as LuckyMouse, APT27, or Budworm, which is widely believed to be based in China and has for more than a decade targeted government agencies and government-related industries, including aerospace and defense. But despite the Korplug and CobraGuard connections, Symantec says it's too early to link the wider supply chain attack it has uncovered to the group behind the previous incidents.

“You can't rule out the idea that one APT group compromises this software, and then it becomes known that this software is vulnerable to this kind of compromise, and somebody else does it as well,” says Symantec's O'Brien, using the term APT to mean “advanced, persistent threat,” a common industry term for state-sponsored hacker groups. “We don't want to jump to conclusions.” O'Brien notes that another Chinese group, known as APT41 or Barium, has also carried out numerous supply chain attacks—perhaps more than any other team of hackers—and has used Korplug, too.

To add to the attack's stealth, the CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers. Microsoft didn't respond to WIRED's request for more information on how it ended up signing malware used in the hackers' supply chain attack.

Malware that's signed by Microsoft is a long-running problem. Getting access to a registered developer account represents a hurdle to hackers, says Jake Williams, a former US National Security Agency hacker now on faculty at the Institute for Applied Network Security. But once that account is obtained, Microsoft is known to take a lax approach to vetting registered developers' code. “They typically sign whatever you, as the developer, submit,” Williams says. And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft,” Williams says.

That code-signing trick, combined with a well-executed supply chain attack, suggests a level of sophistication that makes CarderBee uniquely worthy of tracking, says Symantec's O'Brien—even for those outside of its current targeting in Hong Kong or Chinese neighbor countries. Regardless of whether you’re in China’s orbit, says O’Brien, “it’s certainly one to look out for.”

Source

Both versions support the creation of custom scripts, but only the software version includes options to run the custom scripts right away.

A quick look at the online version of Privacy is Sexy explains how the service works and how it differs from other privacy tools. Users select one of the supported operating systems, say Windows, and may then pick one of the available categories to browse available options or use the built-in search.

Categories such as privacy cleanup, disable OS data collection, remove bloatware, or privacy over security, list dozens of customization options.

Remove bloatware, for example, lists scripts to uninstall Windows Store apps, remove OneDrive and other built-in Windows features, or to remove Widgets on Windows 11. Several of these list multiple options, e.g., selecting the application uninstallation option lists most apps that Microsoft ships with the Windows operating system by default.

Not all scripts are designed to improve privacy by removing features or making changes to the system. There is the security improvements category, which lists options to enable Meltdown and Spectre protections, disable unsafe features, or to prevent WinRM from using basic authentication.

It takes a while to go through the entire list of available options. The web-based version of Privacy is Sexy lists 648 scripts for Windows, 129 scripts for macOS and 127 scripts for Linux at the time of writing

Scripts are selected with clicks on checkboxes and added to a custom script that contains all the user's selections. The custom script is listed on the same page, giving users full control.

Most options include a revert button, which may be used to revert changes made earlier. Sometimes, removing features may lead to unintentional consequences, and the revert option ensures that issues can be corrected.

The custom script can be downloaded to the local system or copied to the Clipboard.

The main difference between the web-based version and application is that the latter includes an option to run the script right on the local system. The software-version seems to be based on Electron, which

Scripts are saved in a format that the selected operating system supports. On Windows, scripts are saved as .bat files, which users may run on any local system once downloaded.

Closing Words

Privacy is Sexy is a useful tool for intermediate and advanced users who want to improve privacy, security and remove bloat from their operating systems. The lack of explanations makes this less of a suitable tool for new and inexperienced users. While there are revert options available, some of the scripts may break required functionality.

Most users may want to create a system backup, for instance using Paragon's Backup & Recovery Free software for Windows, before they run scripts on the local system.

Now You: do you use privacy tools? (via Deskmodder)

Source

Seiko is one of the world's largest and most historic watchmakers, with roughly 12,000 employees and an annual revenue that surpasses $1.6 billion.

On August 10th, 2023, the company published a notice of a data breach informing that an unauthorized third-party gained access to at least a part of its IT infrastructure and accessed or exfiltrated data.

"It appears that [on July 28, 2023] some as-yet-unidentified party or parties gained unauthorized access to at least one of our servers," reads Seiko's announcement.

"Subsequently, on August 2nd, we commissioned a team of external cybersecurity experts to investigate and assess the situation."

"As a result, we are now reasonably certain that there was a breach and that some information stored by our Company and/or our Group companies may have been compromised."

Seiko apologized to the potentially impacted customers and business partners and urged them to be vigilant against email or other communication attempts potentially impersonating Seiko.

BlackCat assuming responsibility

Today, the BlackCat ransomware group claimed to be behind the attack on Seiko, posting samples of data that they claim to have stolen during the attack.

In the listing, the threat actors mock Seiko's IT security and leak what appear to be production plans, employee passport scans, new model release plans, and specialized lab test results.

Most worryingly, the threat actors have leaked samples of what they claim are confidential technical schematics and Seiko watch designs.

This indicates that BlackCat very likely possesses drawings that showcase Seiko internals, including patented technology, which would be damaging to publish and expose to competitors and imitators.

BlackCat is one of the most advanced and notorious ransomware gangs actively targeting the enterprise, constantly evolving its extortion tactics.

For example, the group was the first to use a clearweb website dedicated to leaking data for a particular victim and, more recently, created a data leak API, allowing for easier distribution of stolen data.

Update 8/21/23: After publishing this story, researchers at Curated Intel told BleepingComputer that an initial access broker (IAB) was selling access to a Japanese manufacturing company on July 27th, one day before Seiko said they were initially breached.

While the IAB did not share the name of the company they were selling access to, they did say the company is in manufacturing and has '1.8B' in revenue per Zoominfo, which is an exact match to Seiko's Zoominfo page.

BleepingComputer has contacted Seiko for additional comments on the threat actor's claims, but we have not received a response by publication time.

Source

As private space companies have ramped up production and launches in the past several years, they’ve also been unwittingly putting a target on their back. U.S. government agencies are warning the private space sector that they are in the crosshairs of foreign intelligence agencies.

The warning comes from the FBI, the National Counterintelligence and Security Center, and the Air Force this morning in a two-page bulletin. The bulletin says that foreign intelligence agencies could target company employees, contractors, or suppliers in order to obtain sensitive information on key spaceflight operations. These attacks may include cyberattacks, which the release says could be evidenced by unusual amounts of activity on companies’ digital networks.

“We anticipate growing threats to this burgeoning sector of the U.S. economy,” an unnamed U.S. counterintelligence official said, as quoted by Reuters. “China and Russia are among the leading foreign intelligence threats to the U.S. space industry.”

The warning is a push from Washington to secure the burgeoning private space agency. Fortune reports that commercial space revenue grew 7.9% in 2022 from $396.2 billion to $427.6 billion. The entirety of the space economy meanwhile is set to grow 41% over the next five years from $546 billion in 2022 and could grow to a whopping $1 billion by 2030 according to McKinsey & Company. To secure this investment, the three agencies encourage private space companies to contact the FBI and the Department of the Air Force Office of Special Investigations.

The warning comes after the European Space Agency fielded a cyber attack earlier this year. In a controlled experiment, hackers demonstrated that they could breach an ESA OPS-SAT nanosatellite in low-Earth orbit to gain control of the spacecraft’s GPS, altitude control, and the onboard camera. Closer to home, however, images from NASA’s Webb Space Telescope were infected with malware using a phishing email and a phony Microsoft Office attachment. Private space companies have not been without their hacks either. Belgian security researchers demonstrated how to easily hack a SpaceX satellite using a custom circuit board attached to a satellite dish on Earth.

Source

Progress is being made "to recover critical systems and restore their integrity," Prospect Medical Holdings said in a Friday statement. But the company, which runs 16 hospitals and dozens of other medical facilities in California, Connecticut, Pennsylvania, Rhode Island and Texas, could not say when operations might return to normal.

"We do not yet have a definitive timeline for how long it will be before all of our systems are restored," spokeswoman Nina Kruse said in a text message. "The forensic investigation is still underway and we are working closely with law enforcement officials."

The recovery process can often take weeks, with hospitals in the meantime reverting to paper systems and people to monitor equipment, run records between departments and do other tasks usually handled electronically, John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, said at the time of the breach.

The attack, which was announced Aug. 3, had all the hallmarks of extortive ransomware but officials would neither confirm nor deny this. In such attacks, criminals steal sensitive data from targeted networks, activate encryption malware that paralyzes them and demand ransoms.

Manchester Memorial Hospital is seen Friday, Aug. 4, 2023 in Manchest

The FBI advises victims not to pay ransoms as there is no guarantee the stolen data won't eventually be sold on dark web criminal forums. Paying ransoms also encourages the criminals and finances attacks, Riggi said.

As a result of the attack, some elective surgeries, outpatient appointments, blood drives and other services are still postponed.

Eastern Connecticut Health Network, which includes Rockville General and Manchester Memorial hospitals as well as a number of clinics and primary care providers, was running Friday on a temporary phone system.

Waterbury Hospital has been using paper records in place of computer files since the attack but is no longer diverting trauma and stroke patients to other facilities, spokeswoman Lauresha Xhihani told the Republican-American newspaper.

"PMH physicians, nurses, and staff are trained to provide care when our electronic systems are not available," Kruse wrote. "Delivering safe, quality care is our most important priority."

The Los Angeles Community Hospital exterior is seen in Los Angeles on Friday, Aug. 4, 2023. Hospitals, including this one, and clinics in several states on Friday began the time-consuming process of recovering from a cyberattack that disrupted their computer systems, forcing some emergency rooms to shut down and ambulances to be diverted. Credit: AP Photo/Damian Dovarganes

Globally, the health care industry was the hardest-hit by cyberattacks in the year ending in March, according to IBM's annual report on data breaches. For the 13th straight year it reported the most expensive breaches, averaging $11 million each. Next was the financial sector at $5.9 million.

Health care providers are a common target for criminal extortionists because they have sensitive patient data, including histories, payment information, and even critical research data, Riggi said.

© 2023 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.

Source

Source

For some time, LockBit has been at the top of the ransomware "industry," usually leading the pack in the number of victims based on the operation's data leak site.

However, as explained by DiMaggio, the LockBit operation appears to be slipping, with the gang having a serious storage infrastructure problem that impacts its ability to release stolen data and extort victims.

Like all enterprise-targeting ransomware operations, when conducting attacks, the threat actors first breach a network and quietly harvest data to be used in later extortion demands. Only after all the valuable data has been stolen and backups deleted do the threat actors deploy the ransomware to begin encrypting files.

This stolen data is used as leverage while extorting victims by publishing it on a data leak site if a ransom is not paid.

However, DiMaggio has learned that LockBit has a serious storage issue, preventing the operation from properly leaking data and frustrating affiliates who want to use the data leak site as part of their extortion strategy.

"It has used propaganda on its leak site and a strong narrative across criminal forums to hide the fact it often cannot consistently publish stolen data," the researcher explained in his report.

"Instead, it relies on empty threats and its public reputation to convince victims to pay. Somehow, no one but affiliate partners noticed. This problem is due to limitations in its backend infrastructure and available bandwidth.

To make matters worse, the public-facing LockBit representative, LockBitSupp, disappeared for a while, not appearing on Tox or answering questions from affiliates.

This led to affiliates being concerned the operation was compromised, with some telling DiMaggio that they had begun to switch to new ransomware operations.

This chaos in the LockBit operation has not gone unnoticed by other security analysts, with Allan Liska also warning there has been a sharp decrease in the operation's activity.

Other ransomware news

In other ransomware news, we saw some great research released this deep dives on new encryptors:

• Microsoft shared some info on BlackCat's Sphynx encryptor.
• SecureScoreCard shared a technical analysis of the Underground ransomware.
• Trend Micro shared news of a new Linux/VMware ESXi encryptor for Monti.
• Will Thomas released a report on how the Oktapus gang may be working with BlackCat.

The MOVEit data theft attacks continue to be a thorn in the side of organizations worldwide, with colourado warning that the data of 4 million people was stolen as part of these attacks.

Finally, a new phishing campaign was discovered, pushing the new Knight ransomware as TripAdvisor complaints.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @LawrenceAbrams, @fwosar, @BleepinComputer, @billtoulas, @serghei, @Seifreed, @demonslay335, @Jon__DiMaggio, @security_score, @vxunderground, @MsftSecIntel, @TrendMicro, @IBMSecurity, @felixw3000, @uptycs, @BushidoToken, @adlumin, and @pcrisk.

August 12th 2023

Knight ransomware distributed in fake Tripadvisor complaint emails

The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints.

August 14th 2023

Monti ransomware targets VMware ESXi servers with new Linux locker

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations.

colourado warns 4 million of data stolen in IBM MOVEit breach

The colourado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information.

Underground Ransomware deployed by Storm-0978 that exploited CVE-2023-36884

The Underground ransomware is the successor of the Industrial Spy ransomware and was deployed by a threat actor called Storm-0978. The malware stops a target service, deletes the Volume Shadow Copies, and clears all Windows event logs.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .tasa and .taoy extensions.

August 15th 2023

Ransomware Diaries: Volume 3 – LockBit’s Secrets

In this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit ransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about LockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate with evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed.

New Allahu Akbar ransomware variant

PCrisk found a new STOP ransomware variant that appends the .allahuakbar extension and drops a ransom note named how_to_decrypt.txt.

New Retch ransomware variant

PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.

August 16th 2023

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention.

August 17th 2023

Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom

Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.

PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers

The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.

New Retch ransomware variant

PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.

That's it for this week! Hope everyone has a nice weekend!

Source